[ISN] The West is not very highly concerned with the threat of cyber terrorism

From: InfoSec News (alerts@private)
Date: Thu Dec 14 2006 - 22:47:01 PST


http://www.regnum.ru/english/749825.html

REGNUM News Agency 
December 15, 2006

2006 marks a kind of anniversary: 15 years of a fraud with counterfeited 
advice notes, one of the major frauds in the history of world banking. 
It was about faked credit notes. As a result, in 1991-92, 400 billion 
rubles were embezzled from the Russian Central Bank. The results were 
really catastrophic for Russia.

The unprecedented in world banking theft was ceased by joint effort of 
the Central Bank staff and Russian Ancort Company that in a very short 
time managed to elaborate and install a system of cryptographic 
protection of notes. As a result, despite the continuing attempts made 
by the crime, no fake credit note let take money illegally from the 
Russian Central Bank. A REGNUM correspondent spoke about those events 
with President of Ancort Co Anatoly Klepov.

-=-

REGNUM: Mr. Klepov, the tragic death of Russias Central Bank First 
Deputy Head Andrei Kozlov makes us speak again on the bygone events of 
early 90s when the Central Bank became object of an unprecedented 
criminal attack known as the fake advice notes fraud. But only few know 
that you and your company were directly involved in cutting short that 
fraud.

Yes, it is true that our work with the Central Bank started in 1992, at 
the very difficult moment, and has continued until now. Usually, 
cryptographic companies that provide for protection of information do 
not speak to the media commenting on their work with their clients in 
order to observe confidentiality. But now in connection with murder of 
Andrei Kozlov the indignation is very high. Many high-ranking officials 
gave their comments assessing such actions as lawlessness. The State 
Duma has established a special committee to investigate criminalization 
of banking systems, particularly in investigating this murder. MP 
Nikolai Leonov, speaking on TV, directly stated that Kozlovs death was 
directly connected with fake advice notes, Head of the Russian Audit 
Chamber Sergey Stepashin said the same. I think they are right. Andrei 
Kozlov was really occupied with investigation of causes of those events.

The thing is, the war started then is not over yet. And the problem I so 
important that I believe it is my duty to speak even contradictory to 
the official position of the Central Bank leadership that opposes my 
statements to the press. I will not be talking about certain details of 
the Central Bank protection, but I will try to analyze causes of the 
biggest fraud in the history of world banking in order to prevent from 
such events being repeated in banking as well as in other fields, 
state-run and commercial. Some typical mistakes committed in 
organization of the Central Bank information security can be seen in 
other institutions in Russia as well.

There is no comprehensive understanding on the country today on what 
happened in Russia then. It is very important to prevent from such fraud 
taking place again and establish a solid protection against possible 
attacks of cyber criminals.

The reality is, in 1991-92 a cyber war broke up in Russia. Management of 
national strategic financial resources was partially taken under control 
by criminal subjects, but we are still unable to define it clearly, 
whether it was crime or, maybe, some external forces stood behind them 
and tried to destabilize the situation in Russia. For some time, they 
had managed to take under control vast financial flows of Russias 
National Bank.

What is information war? Dictionary War and Peace in Concepts and 
Definitions edited by Dmitry Rogozin gives general attributes of it:

1. Damaging information systems, processes and critically important 
   national resources.

2. Undermining of political and social systems.

3. Massive psychological pressure upon population aimed at 
   destabilization of society.

All those attributes were present in the case with fake advice notes. 
Functioning of the National Bank information system was seriously 
damaged practically right up to suspension of financial payments in the 
country. Awful inflation connected with massive embezzlement undermined 
peoples trust in the democratic Russia, aggravated the social 
atmosphere. And the psychological campaign of intimidating the people 
with the help of the term Chechen advice note was necessary for them to 
instigate inter-ethnic discord inside Russia and for its division in the 
long run.

 From the technical point of view, all elements of information war were 
present. For instance, imposing false reports, listening-in and 
distortion of information, establishment of false points for information 
transmission and many other things, which now consists the gist of 
current high-tech information wars.


REGNUM: Were information systems of the Central Bank then modern enough? 
How did it happen that they were so vulnerable?

Problems of the Central Bank were typical enough for the whole former 
USSR. Information systems of the former Soviet Union were very good 
protected strategically at the level government, Central Committee of 
the Communist Party of the Soviet Union and others. However, on the 
tactical level, say, our troops in Afghanistan had great problems in 
information safety in Afghanistan.

For instance, encoding of information in handwritten documents, by which 
our troops were equipped, took comparatively long time, which is 
critical in operation. It brought about the situation when army units 
exchanged information by so-called talking tables, where words like 
shells were replaced by water-melons and cartridges were called 
cucumbers. Under current rules, the words taken from the talking tables 
were to be coded by handwritten encoding documents in order not to let 
the enemy determine correct meaning of the words. But it is hard to 
imagine how this can be done during operation, so, the 
fruit-and-vegetables exchanged of information was broadcasted. Of 
course, in some time the enemy knew the correspondence between words and 
phrases and laid an ambush where wanted to. Nobody knows for sure how 
many our troops and officers died of it.

The situation reiterated in Nagorno Karabakh and Chechen wars. Numerous 
stern decrees were issued to ban use of talking tables without encoding, 
but, alas, if technical equipment does not correspond with demand of 
reality, the human factor plays its tragic role. This fruit coding 
played its role in the case with fake advice notes.

It can be said conditionally that protection of financial advice notes 
exchange between cash calculation centers was a tactical task for the 
Central Bank is practically the same as in the army. The whole political 
system generates one and the same errors, particularly, technical ones. 
For the chief executive a whisper in the phone hanger is encoded, and 
for the ranks there are inconvenient coding tables. In the USSR it 
became apparent in everything not only in the military. The legacy of 
the Soviet times disrespectful attitudes to the people, who are 
fulfilling governmental tasks, be it military service or banking, which 
resulted in tremendous theft. In cyber war the concept of a tactical 
unit is completely different from the one in a usual war; often setbacks 
in its protection can result in losing control over strategic 
information resources, which happened at the Central Bank. We 
encountered new concepts in the sphere of information wars and the main 
one of them is that any information unit of our protection should be 
secured. Otherwise, a skilled cyber attack will give the enemy a 
brilliant opportunity to penetrate unnoticed our information systems and 
then destroy them.

As Interior Minister Rashid Nurgaliyev said recently, trillions of 
rubles were stolen then. Evidently, from the technical point of view it 
was done very professionally.

What was trillions of rubles for Russia in 1991-92? Those were budget 
money. State-financed enterprises, first of all, defense enterprises 
received no money and started closing. In that period major companies 
ceased or suspended their functioning. Dozens of thousands of bright 
technologists, engineers were ousted from work. Fist of all, the 
military industrial complex was damaged, not only production, but 
scientific intelligentsia of Russia, who traditionally used to work in 
the defense industry.

Healthcare financing and payment of pensions drastically decreased, a 
crisis happened to the financial system; all savings of the population 
burned in inflation. Life span decreased. Thus, if we sum up, the theft 
of the Central Bank in its economic consequences was comparable to a 
nuclear aggression against our country. It was a real cyber war, not 
just and act of cyber terrorism.

The embezzled money was taken abroad, plants and factories were bought 
for it this was the way how financial basis for cyber terrorism was 
laid. Criminals understood they can have incredible money with the help 
special technical means and started developing them.

What the power of cyber terrorism is, we felt it to the full extent in 
Chechnya, where special equipment was applied against our troops both in 
the first and the second wars in Chechnya. We contributed as much as we 
could in fighting cyber terrorism presented thousands of encoding units 
to police troops and Air Forces. Cyber terrorism is not only technical 
means; it often affects the administrative resource as well. We did not 
have a right to sell our encoding equipment officially in the quality 
our troops needed it and we could give it to them as present only. Some 
our governmental officials were indifferent to death of troops and 
officers, the main thing was not to breach the instructions that they 
had prepared deriving from the principle of preserving their wealth in 
Moscow.

Naturally, cyber terrorism is not only a Russian phenomenon. For 
instance, al-Qaedas cyber terrorism ended up with September 11. There is 
nothing strange in it. In Afghanistan, dushmans were with great 
attention examining US systems of interception of our aircrafts and 
helicopters communication, information monitoring of military air bases 
including remote control of airplanes. Then, a vast interest was shown 
in numerous exhibitions of special equipment for interception and 
listening-in held in Russia in 1991-93. Combining US and Soviet 
technologies in the filed of conducting information wars and receiving 
practical experience in Chechnya, al-Qaedas terrorism entered the 
international arena. I believe that no serious terror attack has been 
carried out nowadays without participation of cyber terrorists. As they 
carry out their actions at the highest technological level, so they need 
to conduct preliminary research: they listen in to something, receive 
and process information and make general analysis to determine the weak 
points. It is a mistake to believe that cyber terrorism attacks only 
computer networks or internet. Its technical potential is much more 
extensive, which was shown by the recent war in Lebanon.

It was not without reason, when President Putin announced at a meeting 
with prosecutors that cyber terrorism is the main threat for the 21st 
century. There are weighty grounds for it.


REGNUM: Let us get back to the events of 1992. At some moment it became 
clear what was going on and the Central Bank leadership comprehended how 
it should secure its safety?

As then-chair of the Central Bank Viktor Gerashchenko said in his speech 
at the seventh congress of peoples deputies, the financial system of the 
Central Bank was in collapse, practically it was stopped. As one could 
have predicted, chaos expected us, government reshuffle and so on. It 
became clear that we should protect ourselves immediately. But how? They 
were supposed to build a new well-protected system of 1,800 new branches 
of cash calculation centers and restore the Russian financial system 
soon. The Central Bank turned to us with this task.


REGNUM: Why was it you?

Because protection was to be done professionally, fast and for sure. And 
the most important thing: the equipment needed to be mass and not 
expensive. Like Kalashnikov machine gun during the war. We could provide 
it, as we have a production plant in Zelenograd (not far from Moscow).

We elaborated a unique cryptographic protection system. Some elements of 
the system have no analogs in the world. Each payment under an advice 
note was protected by a mini electronic digital signature. The notes 
could be sent via telex between the cash calculation centers. It is 
impossible to counterfeit such payment.

When the work started, the Central Bank did not trust anyone. It was an 
unprecedented thing for a governmental agency, but, probably, there were 
grounds for it. The leadership of the bank felt that someone inside the 
Bank was working for criminals, so they decided to produce keys on the 
first stage at our office. At next stages the Central Bank made the keys 
by itself.

So, overall, the technical part of the assignment was done only by 
Ancort company. We were supposed to deliver 6,000 encoders, work out 
unique cryptographic solutions for 1,800 clients of the network, rules 
of functioning of the network and many other things to secure needed 
level of information protection of the Central Bank network. Our company 
fulfilled its duty and since December 1, 1992 protection system of the 
Central Bank started functioning. For more than 14 years nobody managed 
to counterfeit a Central Bank advice note technically.

Naturally, it was very and very insecure. We had no arms, but had to 
wear flak jackets. We encountered face to face with our enemies. 
Criminals came with guns, blockaded production of encoders, so we had to 
take them to a safe place; they brought plenty of money to graft us, 
threatened and urged to give them the keys. But they were late and we 
told them: Whatever you do, gentlemen, it will be in vain: the system is 
launched, and you will never succeed in changing it.

On the other hand, governmental agencies suddenly recollected: how 
without their knowledge protection of a state bank is being secured, if 
something happens, they can be dismissed They started criminal 
proceedings against the companys leadership on the charge of 
unsanctioned supply of equipment to the Central Bank. We turned for help 
to be protected from the crime, but we were told that of we hand over 
money to a very respectable governmental official, we shall have full 
protection. We rejected such proposals that were in conflict with our 
position, which is clear-cut: we do not sell and do not denounce.

Those years of 1991-92 were the most controversial years of formation of 
the country, when the most important question was being decided whether 
Russia will exist or shall we enter a civil war with unpredictable 
results.

The whole burden of protection of the Central Bank finances was put on 
shoulders of Russian women then. The Central Bank financial system 
consisted of 1,800 calculation centers all over Russia. Each center was 
to communicate with the others. So, each center was supposed to be 
equipped with a certain number of encoders and train operators how to 
work with them. When we asked how many they were, we were told about 
5,000 people. We were to teach them how to work with encoders within two 
months to make the system operate. It was 5,000 female cryptographers, 
as mostly women were engaged in such activity at the bank. The history 
of the USSR and Russia has never seen this before. It is unbelievable, 
but the system was launched within two months, and it the major 
achievement of our women. Those women won the cyber war with criminals, 
and there were over 10,000 of them, according to the Interior Ministry 
information.


REGNUM: The fact that the galloping inflation by the end of 1992 slowed 
down should be evidently considered as a sign that they managed to fill 
up a gap in the Central Bank protection, shouldnt it?

Yes, it should. But now Andrei Kozlov started investigating why those 
events became possible from organizational point of view. He was very 
intent to the problem of leak of insider information. Do you remember 
his statement this year on colossal downfall of Gazprom shares because 
of that?

Cyber war has to do not only with technical issues, but with who and why 
permitted to do actions like this. When we investigate this, we usually 
come to a conclusion that people behind it were not ordinary criminals. 
It was very well equipped crime led y very competent persons.


REGNUM: Do you have any ideas of who can it be?

We do not know it. But what we know is that they were very professional. 
A cyber war cannot be considered accomplished until a thorough analysis 
is made on how such a system could be created that could be so easily 
destroyed. When we started the job to protect financial operations of 
the Central Bank, we saw a system that had so many gaps that it could 
hardly exist.


REGNUM: And what about the current system? Can we be sure it was created 
without envisaging theft?

Any system should be modernized and improved constantly. And at present 
time, the Central Bank spares no effort on it.

As for general issues of protection of Russian information resources, as 
before the most attention is paid to protection of strategic information 
networks, while attacks of cyber terrorism cover the most updated and 
first of all mass communication networks. It is in constant search for 
gaps in protection shield.

For example, nowadays, one of the most popular ways of cyber crime is 
collection of personal information. How do hackers penetrate data bases? 
Under information of Kaspersky Laboratory, it is done through tapping 
phones. It is very easy: say, a system administrator returns home from 
work, and suddenly he receives a call from office saying: Our server is 
buzzed, tell us the password. He answers, but his phone is tapped. Do 
not think that hackers are super genies. They stake mostly on human 
factor: someone wrote down the password somewhere, left the paper 
visible for everyone they make money mostly on such things. Of course, 
they have accomplices inside. As a result, annual losses from cyber 
attacks total about $100 bln.

Plenty of statements were made by media on the case of the Kozlov murder 
saying that it is necessary to do away with crime. Deputy chair of the 
Russian State Duma Vladimir Zhirinovsky in an interview to Ekho Moskvy 
Radio proposed to increase phone tapping. But none of our governmental 
officials ever asked themselves a question: do we have reliable personal 
information protection for each member of the State Duma or for Interior 
Ministry officers, who investigate high-profile crimes?

Now and then we hear formidable reports that criminal proceedings were 
started on a case of an information leak from investigation of a 
contract murder, but at the same time we see on TV how very important 
persons talk by their cell phones from the site of the crime, but I 
never saw any special cryptographic cell phone by them. Isnt it the main 
way of information leak?

I think the Russian prosecution should be asked: Are our prosecutors and 
the investigative bodies that ate on the forefront of the fight against 
terrorism well protected from cyber terrorists? Are they ready for a 
cyber war or not, like the Central Bank wasnt in its time?

State Duma members do go abroad and use their cell phones there. 
Contents of their talks and their voices can be easily faked and forged 
statements can be released on their behalf. Wont it hurt Russias 
prestige?

Is the presidential team ready for it? Well, he does not use ordinary 
means of communication. But what about his personal doctor? And 
reporters, who accompany him? Isnt a cyber terrorist able to compromise 
some of them, forging someones voice or somehow else? We know from mass 
media about permanent scandals involving unsanctioned tapping of cell 
phones in some Western countries. For example, in Greece and Italy even 
the countrys leadership was tapped. Do we have guarantees that cyber 
terrorists will not choose for their attacks officials of the Russian 
foreign ministry who work abroad? Recently the number of Russian 
citizens detained abroad after tapping their phones increased and the 
trend is alarming.

Over 140 mln cell phones are now used in Russia; they provide for 
accessible and convenient connection. There is a special, very reliable 
subsystem of confidential cellular connection on the basis of Megafon 
operator. There is only one analogous system, in the United States. As 
we know, now it is used mostly by top-ranking governmental officials, 
although commercial companies can also join the subsystem.

What does put limits on the use of it? The answer is simple: absence of 
a relatively low-cost crypto smart phone with confidentiality 
protection. It will allow to settle the task of personal information 
protection of dozens of thousands of police officers and civil servants, 
including those from the foreign ministry. Why doesnt the State Duma 
establish a special group to study question of information protection of 
personal data for Russian civil servants because of the increasing 
activity of cyber terrorism? The matter is not only technical or 
economical, but an organizational one. We faced practically the same 
problem many years ago while creating our coder for the Central Bank, 
which was 20 times less expensive than analogous coders made by 
state-run companies.

Now, cyber terrorism has been searching for new methods and approaches. 
Are we ready to withstand its attacks?


REGNUM: Can cite as examples some countries where information protection 
system is build taking into consideration the threats you are talking 
about?

Russia is here on the forefront as well. We managed to survive the first 
cyber war that had no analogs in international practice. The West has 
not felt yet the grave consequences of cyber terrorists attacks. I 
remember an interesting case. Once I told a high-ranking Arab police 
officer that criminals were installing cameras on cash machines to steal 
money and it is necessary to take measures to prevent from it. His 
answer was that it is impossible in a Muslim country, where theft is 
punished under the Sharia law. A year later cyber criminals stole $11 
bln from cash machines with the help of cameras installed on cash 
machines. Besides, many Western banks use a very weak bank-client system 
in terms of protection. In some points it resembles the system of the 
Central Bank that was successfully hacked by cyber terrorists.

Not long ago cyber terrorists started tapping phones of the UK military 
in Iraq and then called their relatives in Britain. It is very dangerous 
for families of troops, who are very concerned about their relatives. 
Well, cyber terrorists can forge any information, which can result in 
tragic consequences. The UK authorities can turn to the Russian Interior 
Ministry and they will be officially noted on facts of racketeering or 
fraud with the use of cell phones.

Generally, I would say that the West is not very highly concerned with 
the threat of cyber terrorism. But soon they will feel this threat in 
its full extent. Most probably, Europeans do not comprehend yet that the 
situation started changing. Although, recently I read an interesting 
article by Magnus Ranstorp, former Director of Centre for the Study of 
Terrorism and Political Violence at the University of St Andrews, 
Scotland, called Al Qaeda Wages Cyber War against US, where he says that 
al-Qaeda pays much attention to studying the cyberspace and searching 
for vulnerable spots in it, and the question is not whether it will wage 
the war, but when it will do it.


REGNUM: In Russia the cyber war started as early as in 1992. Has it 
finished?

We cannot state it is finished. It is not stable in Chechnya, where 
signs of cyber war were clearly seen. Of course, cyber terrorists are 
trying to apply profits earned in a criminal way in economic and 
political tasks. A very thorough analysis of the situation usually 
precedes physical conflicts.

I have always stressed that Russia should be ready to withstand any 
attack of cyber attack. Today, in the days of information wars, it is 
necessary for Russia to have effective mass technical means of 
protection; the means ought to be made in Russia and to cost not much. 
Unfortunately, I did not see comprehension of this in any statement by 
any politician.


REGNUM: What do you think, who should create mass systems of information 
protection, state-run or commercial companies?

Now private companies are doing it under control of governmental 
agencies who certify such activity. Private enterprises are trusted 
already to protect state secrets, although often certification increases 
the price of their product.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 14 2006 - 23:03:35 PST